featured speaker: george spafford - isaca
TRANSCRIPT
1© 2009, Cognizant Technology Solutions. Confidential
Featured Speaker: George Spafford
© Copyright IT Process Institute
Written by:Gene Kim, Paul Love and George Spafford
Visible Ops Security guides information security professionals in strengthening relationships with IT operations and development groups to advance IT objectives and business goals. It addresses the people side of IT, empowering security to work with operations teams to achieve closely aligned objectives and with development and release teams to integrate security requirements into preproduction work.
© 2009, Cognizant Technology Solutions. All Rights Reserved.The information contained herein is subject to change without notice.
Visible Ops Security
George SpaffordPrincipal ConsultantCognizant
3© 2009, Cognizant Technology Solutions. Confidential
Agenda Background
Phases
» (1) Stabilize the Patient and Get Plugged Into Production
» (2) Find Business Risks and Fix Fragile Artifacts
» (3) Implement Development and Release Controls
» (4) Continual Improvement
4© 2009, Cognizant Technology Solutions. Confidential
Management mandate alone is not sustainable
-Only Nixon could go to China-The definition of insanityVisible Ops Security published March 2008
.
Copyright of IT Process Institute – http://www.itpi.org
5© 2009, Cognizant Technology Solutions. Confidential
Background
Information security is an organizational and national level issue
Many regulatory and contractual obligations
Expectations from shareholders and other stakeholders
Information security is nothing new
Information security must achieve objectives while helping other groups attain theirs
Operations and Information Security have history of being at odds
Integration is vital
7© 2009, Cognizant Technology Solutions. Confidential
Stabilize the Patient and Get Plugged Into Production
Gain Situational Awareness
Integrate into Change Management
Reduce and Control Access
Codify Information Security Incident Handling Procedures and Modify First Response
8© 2009, Cognizant Technology Solutions. Confidential
Step 1: Gain Situational Awareness
Find out what senior management and the business wants from information security
Find out how the business units are organized and operate
What are the IT process and technology landscapes?
Find the high-level risk indicators
9© 2009, Cognizant Technology Solutions. Confidential
Step 2: Integrate into Change Management
Get invited to Change Advisory Board meetings
Build and electrify the fence
» Being able to answer “what changed?” is critical!
» Ops and Information Security need the answer
» Authorized Person, Authorized Change
» Authorized Person, Unauthorized Change• Well intended, Erroneous or Malicious
» Unauthorized Person, Unauthorized Change
Ensure tone from top and define consequences
Substantiate that the electric fence is working
Look for red flags
Address failed changes
10© 2009, Cognizant Technology Solutions. Confidential
Step 3: Reduce and Control Access
Reduce unnecessary access
Establish an account management process
Eliminate ghost accounts
Re-accredit accounts routinely
11© 2009, Cognizant Technology Solutions. Confidential
Step 4: Codify Info Sec Incident Handling, Modify First Response
Use ITIL Incident Management to track
Many factors:
» Access controls are critical at the record and field level for security
» Need multiple models to handle different types of security incidents
» Incident Management will likely hand off to security incident handling / security operations
(1) Define when and how to engage information security
(2) Confirm scope of detective change controls
(3) Formalize information security incident response
13© 2009, Cognizant Technology Solutions. Confidential
Find Business Risks and Fix Fragile Artifacts
Setting the stage
Guide to the Assessment of IT General Controls based on Risk (GAIT-R)
» Establish Our Business Process Worry List
» Work the List, Zoom Out to Rule Out
» Find and Fix IT Control Issues
» Streamline IT Controls and Regulatory Compliance
14© 2009, Cognizant Technology Solutions. Confidential
Setting the stage
Cannot and must not protect everything equally
80/20 rule will apply
Bottom-up Approach
Top Down Risk Based Approach
Understanding reliance on critical controls is vital
» Reliance is placed when a control provides Critical Functionality to detect or prevent errors
Sarbanes-Oxley Year One was disastrous
» $3 billion spent remediating deficiencies that didn’t matter in Year One
Enter the Institute of Internal Auditors and GAIT
15© 2009, Cognizant Technology Solutions. Confidential
Guide to Assessment of IT General Controls based on Risk (GAIT-R)
(1) The failure of technology is only a risk that needs to be assessed, managed, and audited if it represents a risk to the business
(2) Key controls identified as result of top-down assessment of business risk, risk tolerance, and controls required to manage/mitigate business risk (controls include automated and general IT)
(3) Business risks are mitigated by combination of manual and automated key controls
» To assess system of internal control to manage/mitigate business risks, key automated controls need to be assessed
16© 2009, Cognizant Technology Solutions. Confidential
Guide to Assessment of IT General Controls based on Risk (GAIT-R)
(4) IT general controls may be relied upon to provide assurance of the continued and proper operation of automated key controls (e.g., change management, access information security, and operations29)
» (4a) IT general control process risks that need to be identified: those that affect critical IT functionality in significant applications and related data
» (4b) IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and network
» (4c) Risks in IT general control processes are mitigated by achievement of IT control objectives, not individual controls
17© 2009, Cognizant Technology Solutions. Confidential
Step 1: Establish Business Process Worry List
(1) Cover periphery by considering externally facing systems
(2) Discover and understand externally facing IT systems
» Enterprise Application Integration (EAI) tools
» File transfer services
» Vendor Portals
(3) Verify our Business Process Worry List
» Developed on Phase one but not verified
» Validate with internal audit, business continuity, finance, accounting, etc
18© 2009, Cognizant Technology Solutions. Confidential
Step 2: Work the List, Zoom Out to Rule Out
(1) Get help to zoom out to rule out
» What can we rule out of scope using GAIT-R?
» We must focus on what matters
(2) Get confirmation of business process significance and complexity
(3) Get documentation on where reliance on critical IT functionality is placed in the business process
(4) Zoom in for a better view
» Dig into basic details of the services and supporting systems in scope
• Business process being supported, control objectives, applicable regulations, where critical data is stored
19© 2009, Cognizant Technology Solutions. Confidential
Step 3: Find and Fix IT Control Issues
(1) Prepare key IT general control processes
» Review each CI against the relevant ITGC processes and look for gaps
» Management picked the key controls to mitigate the risks that concerned them the most <- this is key
» Greatly focuses efforts
(2) Initiate corrective actions
Step 4: Streamline IT Controls and Regulatory Compliance
Control Regulation 1 Regulation 2 Regulation 3
AI6.1 Change Standards and
ProceduresSpecific Needs Specific Needs
Activity that will meet the needs of all regulations
Next Control Specific Needs Specific NeedsActivity that will meet the
needs of all regulations
20
(1) Establishing the high-water mark
(2) Document the IT controls and their monitoring
22© 2009, Cognizant Technology Solutions. Confidential
Implement Development and Release Controls
Integrate with Internal Audit
Integrate into Project Management
Integrate into the Development Life Cycle
Integrate into Release Management
23© 2009, Cognizant Technology Solutions. Confidential
Step 1: Integrate with Internal Audit
Formalize the relationship with [internal] audit
Demonstrate value
» Provide domain relevant expertise
» Educate audit staff – even if information security must fund training
» Share information security organizational information, policies and standards
» Ensure adherence to daily operational procedures – let audit know what to consider inserting into audit plans
• Prevent organization from sliding backwards by keeping audit informed
24© 2009, Cognizant Technology Solutions. Confidential
Step 2: Integrate into Project Management
Participate in PMO approval meetings
» Project review, filtering and prioritization
Determine information security relevance
Integrate into project review and approval
» Update project templates to include info sec risks
» Aim to improve quality of decision-making: not obtain veto power
» Involved with control/phase gate meetings
Leverage detective controls in change management
» Determine when project management is being bypassed
Link to detective controls in purchasing and accounting
25© 2009, Cognizant Technology Solutions. Confidential
Step 3: Integrate into Development Lifecycle
Advocate the Service Development Life Cycle perspective – not just software
Investments here pay off in the future!
(1) Begin a dialog with development
(2) Establish requirements definition and secure coding practices
(3) Establish secure testing practices
26© 2009, Cognizant Technology Solutions. Confidential
Step 4: Integrate into Release Management
Strive to reduce variation in production
Easier to sustainably support and secure standardized builds vs. snowflakes
» (1) Formalize the relationship with Release Management
» (2) Ensure standards for secure builds• Configuration settings, approved libraries, etc.
» (3) Integrate with release testing protocols
» (4) Integrate into production acceptance• Production acceptance checklists and contracts require information
security approval before production release
» (5) Ensure adherence to release implementation instructions
» (6) Ensure production matches known and trusted states
28© 2009, Cognizant Technology Solutions. Confidential
Continual Improvement
Implement an Information Security Oversight Committee (ISOC)
» Review metrics
» Help with direction
Metrics drive behavior
Absolute numbers vs. Percentages
» 100% of 1 vs. 100% of 100,000 (can be a big difference)
High-level integration measures
» Customer satisfaction
» % of target operational process integration
» Number of challenged integrations
» % of codified process integrations
29© 2009, Cognizant Technology Solutions. Confidential
“Not everything that counts can be counted and not everything that can be counted counts."
Sign hanging in Albert Einstein's office at Princeton
30© 2009, Cognizant Technology Solutions. Confidential
Thank you
George Spafford(269) 556-9597